Cherry Picker
Cherry Picker is the name of a piece of Point-of-Sale malware that employs advanced mechanisms to gain persistence, retrieve credit card data from infected hosts, and then wipe out all traces of its activity. These abilities have allowed the Cherry Picker to remain undetected for a rather long time, and the first instance of this malware was spotted in 2011 – the analyzed sample was first compiled in 2009, which means that the Cherry Picker malware is likely to have been active long before it was detected by cybersecurity experts. Further analysis and reports from victims of the Cherry Picker malware showed that the threat had undergone several updates through the years, the most recent of which happened in 2015.
The Cherry Picker malware gains persistence by modifying the Windows Registry and taking advantage of a configuration option linked to the ‘AppInit_DLLs’ and ‘LoadAppInit_DLLs’ properties. By doing so, the Cherry Picker malware could cause many popular software suites to load the harmful DLL when they are started.
The first thing that the Cherry Picker does after gaining persistence is to look for a configuration file whose path is hardcoded in the malware sample – in one of the cases the file was called ‘graph32.dll,’ but the authors could manipulate the name of the configuration file easily. This plain text file contains details about the attacker’s FTP – IP, username and password. It also can reprogram the Cherry Picker malware to store the extracted credit card data in encrypted RAR files – the names of these RAR files also are based on a configuration option. The last two lines of the configuration file instruct the malware to extract the retrieved data at a specific time, as well as to wait a specific amount of time before scraping the memory.
The most interesting part of the configuration, however, is the ‘Target Process’ field – it implies that the attackers might have analyzed the compromised host beforehand, and they know exactly what process they must target to look for credit card details. If the Cherry Picker malware does not find this process, it will terminate itself. It is likely that the Cherry Picker Is used against carefully selected targets, which has aided its attempts to stay under the radar for as long as possible greatly.
The final component of the Cherry Picker malware is usually dropped under the name ‘Ccv.exe,’ and it serves as a complex cleaner that wipes out any traces of the harmful activity that took place on the compromised host. It appears that every sample of the Cherry Picker is packed with a separately configured cleaner that looks for hardcoded Registry keys, paths and files. It does not just delete files, but also fills the space they leave behind with the 00s, FFs, and meaningless content that is then wiped again. This would be enough to render professional file recovery software useless, therefore reducing the odds that a malware analyst will be able to restore the Cherry Picker malware and analyze its activity.
PoS malware rarely stands out with any particular feature, and their authors often rely on the simple memory scraper to net them a lot of money in a short amount of time. However, on rare occasions, we encounter something like the Cherry Picker, a state-of-the-art hacking tool whose authors have crafted an elaborate product and infection campaign that allowed them to carry out threatening deeds for years.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.